worker_processes <%= p('director.nginx.workers') %>;
daemon off;

error_log /var/vcap/sys/log/director/error.log;
pid       /var/vcap/data/director/nginx.pid;

events {
  worker_connections 8192;
}

http {
  include      /var/vcap/jobs/director/config/mime.types;
  default_type text/html;

  client_body_temp_path /var/vcap/data/director/tmp/client_body;
  proxy_temp_path /var/vcap/data/director/tmp/proxy;
  fastcgi_temp_path /var/vcap/data/director/tmp/fastcgi;
  uwsgi_temp_path /var/vcap/data/director/tmp/uwsgi;
  scgi_temp_path /var/vcap/data/director/tmp/scgi;

  server_names_hash_max_size     512;
  server_names_hash_bucket_size  64;

  log_format timed_combined '$remote_addr - $remote_user [$time_local] '
                            '"$request" $status $body_bytes_sent '
                            '"$http_referer" "$http_user_agent" '
                            '$request_time $upstream_response_time $pipe';

  access_log    /var/vcap/sys/log/director/access.log timed_combined;
  server_tokens off;

  sendfile    off;
  tcp_nopush  on;
  tcp_nodelay on;

  keepalive_timeout    <%= p('director.timeout') %>;
  client_max_body_size <%= p('director.max_upload_size') %>;

  upstream director {
    server 127.0.0.1:<%= p('director.backend_port') %>;
  }

  server {
    listen <%= p('director.port') %> ssl;
    <% if p('director.ipv6_listen') %>listen [::]:<%= p('director.port') %> ssl;<% end %>

    ssl_certificate     /var/vcap/jobs/director/config/ssl/director.pem;
    ssl_certificate_key /var/vcap/jobs/director/config/ssl/director.key;
    ssl_session_timeout <%= p('director.timeout') %>;
    <% if p('director.nginx.ssl_prefer_server_ciphers') %>ssl_prefer_server_ciphers On;<% end %>
    ssl_protocols <%= p('director.nginx.ssl_protocols') %>;
    ssl_ciphers <%= p('director.nginx.ssl_ciphers') %>;

    proxy_set_header    X-BOSH-UPLOAD-REQUEST-TIME $request_time;
    proxy_set_header    X-Sendfile-Type            X-Accel-Redirect;
    proxy_set_header    X-Accel-Mapping            /=/x_accel_files/;
    proxy_set_header    Host                       $http_host;
    proxy_set_header    X-Real-IP                  $remote_addr;
    proxy_set_header    X-Forwarded-For            $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto          $scheme;
    # Remove X-Forwarded-Host from request for CVE-2024-21510
    proxy_set_header    X-Forwarded-Host           "";

    proxy_read_timeout       <%= p('director.proxy_timeout') %>;
    proxy_max_temp_file_size 0;

    location /x_accel_files/ {
      internal;
      alias /;
    }

    location /metrics {
      internal;
    }

    location / {
      proxy_pass http://director;

      if ($content_type = "application/x-compressed") {
        more_set_input_headers "Content-Disposition: attachment";

        # Pass altered request body to this location
        upload_pass @director_upload;

        upload_resumable on;

        # Store files to this directory
        upload_store /var/vcap/data/director/tmp;

        # Allow uploaded files to be read only by user
        upload_store_access user:r;

        # Set specified fields in request body
        upload_set_form_field "nginx_upload_path" $upload_tmp_path;

        # On any error, delete uploaded files.
        upload_cleanup 400-505;
      }

      <% if p('director.nginx.enable_metrics_endpoint') %>
      location /stats {
        # Config for basic metrics module: ngx_http_stub_status_module
        stub_status;
        access_log off;
        allow 127.0.0.1;
        allow ::1;
        deny all;
      }
      <% end %>
    }

    location @director_upload {
      proxy_pass http://director;
    }
  }


<% if p('director.metrics_server.enabled') && p('director.metrics_server.listen_on_external_interface') %>
  upstream metrics_server {
    server 127.0.0.1:<%= p('director.metrics_server.backend_port') %>;
  }

  server {
    listen <%= p('director.metrics_server.port') %> ssl;

    ssl_certificate     /var/vcap/jobs/director/config/metrics_server/certificate.pem;
    ssl_certificate_key /var/vcap/jobs/director/config/metrics_server/private_key.key;
    ssl_session_timeout <%= p('director.timeout') %>;
    <% if p('director.nginx.ssl_prefer_server_ciphers') %>ssl_prefer_server_ciphers On;<% end %>
    ssl_protocols <%= p('director.nginx.ssl_protocols') %>;
    ssl_ciphers <%= p('director.nginx.ssl_ciphers') %>;

    # turn on mutual TLS
    ssl_client_certificate /var/vcap/jobs/director/config/metrics_server/ca.pem;
    ssl_verify_client on;

    proxy_read_timeout       <%= p('director.proxy_timeout') %>;

    location / {
      proxy_pass http://metrics_server;
    }

    location /api_metrics {
      proxy_pass http://director/metrics;
    }
  }
<% end %>

  gzip                 on;
  gzip_min_length      1250;
  gzip_buffers         16 8k;
  gzip_comp_level      2;
  gzip_proxied         any;
  gzip_types           text/plain text/css application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  gzip_vary            on;
  gzip_disable         "MSIE [1-6]\.(?!.*SV1)";
}
